As part of the 2018 National Defense Authorization Act, the Defense Department has until June to start moving much of its custom-developed software source code to a central repository and begin managing and licensing it via open source methods.

The mandate might prove daunting for an organization in which open source practices are relatively scarce, especially considering that, until recently, there was no established open source playbook for the federal government. That’s begun to change, however, with the Office of Management and Budget’s code.gov, and its DoD corollary, code.mil, run by the Defense Digital Service (DDS).

In February, code.mil underwent a “relaunch,” changing it from a GitHub-hosted, text-only, how-to guide to what its managers say is both a code repository and a full-fledged toolset for software program managers who need guidance on how to engage in open source practices within the government.

Just a couple of days back, CTS researchers exposed more than a dozen ‘critical’ vulnerabilities in AMD chips marketed under the brand names Ryzen and Epyc. The company also claimed that a backdoor exists in AMD processors. Their revelation came with a well-decorated website, a whitepaper, and a video.

Intel has published the Intel Processor Microcode Package for Linux 20180312 release with the latest improvements around the microcode-based approach for Spectre CPU vulnerability mitigation, succeeding their microcode updates from earlier in the year.

A federal judge is going to let a bunch of people keep suing Yahoo over its three-year run of continual compromise. Yahoo had hoped to get the class action suit tossed, stating that it had engaged in "unending" efforts to thwart attacks, but apparently it just wasn't good enough to prevent every single one of its three billion email accounts from falling into the hands of hackers.

The Kubernetes orchestration platform is such a gigantic open source project that its evolution is inherently rapid. The pace of change significantly increases the importance of adhering to security best practices when using the ever-changing Kubernetes platform to automate deployment, scaling, and management of containerized cloud-native applications.

Ultimately, effective security also supports the entire Kubernetes project, since the technology's overall adoption depends on the confidence and trust that Kubernetes earns and establishes. That said, standard security procedures and practices that work well in traditional environments are often inadequate for securing Kubernetes environments, where traffic is vastly more dynamic, and where there must be security in place around the pods, containers, nodes, and images.

Valve still hasn't acquired RAD Game Tools, but their close relationship still continues to be paying off with good Linux support out of RAD's game development tools for those developers wishing to target Linux.

RAD Game Tools have generally supported Linux with their different offerings from Oodle compression to the Miles Sound System and also being the ones helping Valve develop the former VOGL debugger. As of this week, their Telemetry product now works on Linux too with its CLI tools and visualizer where as previously they just supported Linux for capturing from its server component.

I'm such a sucker when it comes to games involving space travel, exploration and building a ship. Turns out that Space Impossible [Steam, Official Site] has a Linux version on Steam.

I've been speaking with the developer, who provided me with a key to test and it turns out it actually works really nicely. There's only one issue, which is very common when it comes to having more than one monitor with the wrong resolution picked—easy to work around for now. Apart from that though, I've not seen any issues holding it back.

Virtual private networks (VPNs) offer a lot in the way of increased security and privacy. They have also tended to offer less desirable features like administrative complexity and reduced performance, though; as a result, many potential VPN users decide not to bother. A relatively new project called WireGuard hopes to address both of those problems with an in-kernel solution that is both simple and fast.

A VPN works by establishing an encrypted connection from an endpoint system to a trusted host elsewhere on the network. That host becomes the router through which some or all network traffic from the endpoint passes. Since this tunnel is encrypted, traffic that travels over the VPN is protected from eavesdroppers — until it reaches the trusted host, at least. Setting up the VPN connection in the first place requires authentication between the endpoints; that, in turn, allows hosts to place some trust in the packets coming over the VPN connection. It is thus a common configuration to only allow internal resources to be accessed via a VPN connection.

In this new Science category within It’s FOSS, we dive into the exciting world of Innovative Science to explore and find out about how the Linux-based Operating System and Open Source are playing a significant role in the major scientific breakthroughs that are taking place in our daily lives.

"Hello world" is the beginning of everything when it comes to computing and programming. It's the first thing you learn in a new programming language, and it's the way you test something out or check to see if something's working because it's usually the simplest way of testing simple functionality.

Warriors of programming language wars often cite their own language's "hello world" against that of another, saying theirs is shorter or more concise or more explicit or something. Having a nice simple readable "hello world" program makes for a good intro for beginners learning your language, library, framework, or tool.

The Linux 4.16 kernel is at least two or three weeks out from being released, but Intel has already submitted their i915 DRM driver feature changes for Linux 4.17 and are now beginning to think about their feature changes for Linux 4.18.

Intel's feature changes for Linux 4.17 are now staged in DRM-Next with hitting that soft cutoff deadline ahead of the next kernel cycle. Intel Direct Rendering Manager updates for Linux 4.17 include Cannonlake "Gen 10" graphics now being considered stable, the very early bits of Icelake "Gen 11" support, and a lot of low-level code improvements. To little surprise, Linux 4.17 is looking like another exciting cycle on the feature/improvement front.

While there doesn't appear to be too many Intel BayTrail users out there running systems with Coreboot, this generation of hardware that's been a bit notorious with Linux users due to varying issues can now find at least a bit better graphics support with the latest Coreboot code.

Mesa 18.0's delay of more than one month and without any new release candidate came while the open-source Intel developers were hunkered down to clear the remaining blocker bugs.

Fortunately, it appears the remaining Mesa 18.0 blocker bugs are now resolved, meaning the official release could come in a matter of days depending if they decide to first do a Mesa 18.0-rc5 release for last minute testing.

While Ubuntu 18.04 LTS "Bionic Beaver" is just one month away from release, the developers working on the Mir display server code are still working to get an example desktop session into this release.

Details remain light but in writing yesterday about changes the UBports' team needs to make for Ubuntu 18.04 LTS support, longtime Mir developer Alan Griffiths commented, "The Mir team is aiming to have the necessary tweaks in place for the 18.04 release along with an example "Mir" desktop session." The tweaks needed for Mir in Ubuntu 18.04 are not using Mir-on-Mir and client applications using libmirclient cannot be using EGL otherwise only software-based rendering will work.

Timothy Arceri of Valve's open-source Linux GPU driver team is out with his latest set of patches to further enhance the RadeonSI Gallium3D driver.

Timothy's latest objective remains with improving the RadeonSI NIR back-end for using this modern intermediate representation alternative to Gallium3D TGSI. NIR is important for getting the OpenGL 4.6 bits in place with SPIR-V ingestion / better interoperability with the RADV Vulkan driver and the already-written code paths using NIR.

At linux.conf.au (LCA) 2017 in Hobart, Tasmania, Keith Packard talked with kernel graphics maintainer Dave Airlie about how virtual reality devices should be hooked up to Linux. They both thought it would be pretty straightforward to do, so it would "only take a few weeks", but Packard knew "in reality it would take a lot longer". In a talk at LCA 2018 in Sydney, Packard reported back on the progress he has made; most of it is now in the upstream kernel.

Packard has been consulting for Valve, which is a game technology company, to add support for head-mounted displays to Linux. Those displays have an inertial measurement unit (IMU) for position and orientation tracking and a display with some optics. The display is about 2Kx1K pixels in the hardware he is working with; that is split in half for each eye. The displays also have a "bunch of lenses", which makes them "more complicated than you would hope".

The display is meant to block out the real world and to make users believe they inhabit the virtual reality. "It's great if you want to stumble into walls, chairs, and tables." Nearly all of the audience indicated they had used a virtual reality headset, leading Packard to hyperbolically proclaim that he is the last person in the universe to obtain one.

Both the free-software and security communities have recently been focusing on the elements of our computers that run below the operating system. These proprietary firmware components are usually difficult or impossible to extend and it has long been suspected (and proven in several cases) that there are significant security concerns with them. The LinuxBoot Project is working to replace this complex, proprietary, and largely unknown firmware with a Linux kernel. That has the added benefit of replacing the existing drivers in the firmware with well-tested drivers from Linux.

To understand LinuxBoot and the problem it's working to solve, we first have to discuss how computers actually boot. We usually think of a running system as including the hardware, operating system (OS), and applications. However, for a number of reasons, there are several layers that run between the hardware and the OS. Most users are aware of UEFI (which replaced the older BIOS); for many systems, it prepares the system to run and loads the bootloader. These necessary functions are just the tip of the iceberg, though. Even after the computer finishes loading the OS, there are multiple embedded systems also running on the system entirely separate from the OS. Most notably, the Intel Management Engine (ME) runs a complete Minix operating system, while System Management Mode (SMM) is used to run code for certain events (e.g. laptop lid gets closed) in a way that is completely invisible to the running OS.

This is the fourth article of a series discussing various methods of reducing the size of the Linux kernel to make it suitable for small environments. Reducing the kernel binary has its limits and we have pushed them as far as possible at this point. Still, our goal, which is to be able to run Linux entirely from the on-chip resources of a microcontroller, has not been reached yet. This article will conclude this series by looking at the problem from the perspective of making the kernel and user space fit into a resource-limited system.

A microcontroller is a self-contained system with peripherals, memory, and a CPU. It is typically small, inexpensive, and has low power-consumption characteristics. Microcontrollers are designed to accomplish one task and run one specific program. Therefore, the dynamic memory content of a microcontroller is usually much smaller than its static content. This is why it is common to find microcontrollers equipped with many times more ROM than RAM.

For example, the ATmega328 (a popular Arduino target) comes with 32KB of flash memory and only 2KB of static memory (SRAM). Now for something that can boot Linux, the STM32F767BI comes with 2MB of flash and 512KB of SRAM. So we'll aim for that resource profile and figure out how to move as much content as possible from RAM to ROM.

The kernel stack is a small, frequently reused region of memory in each thread's address space. That reuse allows for efficient memory use and good performance as a result of cache locality, but it also presents a problem: data left on the stack can also end up being reused in ways that were not intended. The PaX patch set contains a mechanism designed to clear that data from the stack and prevent leaks, but an attempt to merge that code into the kernel has run into a snag.

By design, the C language does not define the contents of automatic variables — those that are created on the stack when the function defining them is called. If the programmer does not initialize automatic variables, they will thus contain garbage values; in particular, they will contain whatever happened to be left on the stack in the location where the variables are allocated. Failure to initialize these variables can, as a result, lead to a number of undesirable behaviors. Writing an uninitialized variable to user space will leak the data on the stack, which may be sensitive in one way or another. If the uninitialized value is used within the function, surprising results may ensue; if an attacker can find a way to control what will be left on the stack, they may be able to exploit this behavior to compromise the kernel. Both types of vulnerability have arisen in the kernel in the past and will certainly continue to pop up in the future.

While LLVM 6.0 is now available and it includes the Retpoline compiler-side support for Spectre V2 mitigation, an LLVM 5.0.2 point release is coming to back-port it to their previous stable series.

Tom Stellard at Red Hat is planning to do an LLVM 5.0.2 release primarily for getting the Spectre mitigations out there for those that may not yet want to switch to the newly-christened LLVM 6.0.0 release.

DragonFFI is a foreign function interface (FFI) built using the LLVM and Clang compiler stack to provide a library calling C functions and C data structures that can be used from any other programming language.

The Linux Foundation announced an Intel-backed embedded reference hypervisor project called “ACRN” that features real-time and safety-critical features for Linux and Android IoT and automotive projects.

At the Embedded Linux Conference in Portland, Oregon, the Linux Foundation announced a project called ACRN (like “acorn”) based on Intel technology that will develop a lightweight, open source embedded reference hypervisor. Licensed with the permissive BSD-3-Clause, the technology supports a variety of IoT applications including automotive.

The lawsuit, filed in Seattle federal court in 2015, is attracting wider attention after a series of powerful men have left or been fired from their jobs in entertainment, the media and politics for sexual misconduct.

Plaintiffs’ attorneys are pushing to proceed as a class action lawsuit, which could cover more than 8,000 women.

According to a newly unsealed court filing, women at Microsoft who work in technical jobs filed 238 internal complaints pertaining to gender discrimination or sexual harassment from 2010 through 2016. The new document was first reported Monday evening by Reuters.

The figures were revealed as part of a proposed class-action lawsuit originally filed in 2015 (Moussouris v. Microsoft). The female plaintiffs argue that the company’s internal rating system discriminates against women and disfavors professional advancement for women.

Imad Sousou, Intel's GM of the Open-Source Technology Center, had some interesting remarks to make during his keynote today as part of this week's Embedded Linux Conference in Portland.

First up, they have two new open-source project announcements: ACRN and Sound Open Firmware (SOF).

Sound Open Firmware has us most excited with Intel's focus now on opening up more of their firmware, beginning with audio. Sound Open Firmware includes an open-source audio DSP firmware and SDK. The SOF stack works on all Intel hardware platforms and can assist in debugging audio/DSP issues.

GPUs are critical for training deep learning models and neural networks. Though it may not be needed for simple models based on linear regression and logistic regression, complex models designed around convolutional neural networks (CNNs) and recurrent neural networks heavily rely on GPUs. Especially computer vision-related models based on frameworks such as Caffe2 and TensorFlow have a dependency on GPU.

In supervised machine learning, a set of features and labels are used to train a model. Deep learning algorithms don’t even need explicit features to evolve trained models. They pretty much “learn” from existing datasets designated for training, testing, and evaluation.

Amp is a lightweight, fully-featured Vi/Vim inspired text editor for your Linux terminal, written in Rust. It provides the core interaction model of Vi/Vim in a simplified way, and puts together the fundamental features required for a modern text editor.

It is a zero-configuration, no-plugins and terminal-based user interface that combines extremely well with terminal emulators such as tmux and Alacritty. Amp also supports a modal, keyboard-driven interface inspired by Vim that makes navigating and editing text fast.

Terminus is a cross-platform, open source, web technology based Terminal for modern age. It is heavily inspired from Hyper, a beautiful terminal built on web technologies. Unlike the traditional terminals, Terminus ships with some cool features by default. It is fully customizable with multiple app themes and color schemes for the terminal. We can spawn or hide Terminus using a global hotkey. It keeps the current directory in all newly opened tabs. You can also extend the functionality of Terminus by installing plugins.

Pycharm is a Python Integrated Development Environment for Professional Developers and also anyone who can code in python or even learning how to code in python. There are two versions, a paid professional version or a community edition which is free for use. Though not all features in the professional version are included in the community edition. Alright, let’s dig into it.

Automotive Linux Summit (ALS) connects the developers, vendors, and users driving innovation in Automotive Linux. Co-located with Open Source Summit Japan, ALS will gather over 1,000 attendees from global companies leading and accelerating the development and adoption of a fully open software stack for the connected vehicle.

The Linux Foundation announced today that Sound Open Firmware (SOF) has become a Linux Foundation project. With significant engineering and code contributions from Intel® Corporation, SOF includes a digital signal processing (DSP) firmware and an SDK that together provide infrastructure and development tools for developers working on audio or signal processing. Intel and Google support SOF and invite others to join them in advancing the project.

Yesterday, the Kubernetes Product Security team released information about two significant bugs in Kubernetes, which were assigned CVE-2017-1002101 and CVE-2017-1002102. OpenShift is built upon Kubernetes and as such these bugs were also present in both OpenShift Online and OpenShift Dedicated. Red Hat, along with Google and other members of the Cloud Native Computing Foundation, worked to create and coordinate the release of security fixes for these affected products.

In response to these security errata, at the time the embargo was lifted, the OpenShift SRE team worked around the clock, across three geographic regions (NASA, APAC, and EMEA) to remediate the bug on all affected clusters.

The recent DevConf.cz conference in Brno, Czechia is an annual event run by and for open source developers and enthusiasts. Hundreds of speakers showed off countless technologies and features advancing the state of open source in Linux and far beyond. A perennially popular subject at open source conferences is security. Below is a selection of videos from the many outstanding sessions where presenters covered security topics.

guys 2018 is a security conference which takes place in India. For me it was the second time I attended and it was again a very nice experience.

Jörg’s Audit +++ took place on Wednesday and Thursday including the option to do the OPSE certification. The training session is not so much about technical skills but more about the soft skills. It should help managers to understand the work which security testers are doing and help security testers to do their work in a proper way.

[...]

As Nullcon is a security conference you see a lot of Windows related topic. But from my point of view it would be a perfect place to talk about about the measures the Linux community is taking to make the world a more secure place.

You can define a disk image size, select a language, set a user and root password, select a Debian distribution and enable backports just by one click. It's possible to add your public key for access to the root account without a password. This can also be done by just specifying your GitHub account. Several disk formats are supports, like raw (compressed with xz or zstd), qcow2, vdi, vhdx and vmdk. And you can add your own list of packages, you want to have inside this OS. After a few minutes the disk image is created and you will get a download link, including a log the the creation process and a link to the FAI configuration that was used to create your customized image.

Univention is proud to present the latest Univention Corporate Server (UCS) release. Version 4.3 of the established Open Source software now allows administrators to customize the portal pages which can be set up in UCS to suit the specific requirements of their organization very simply via the drag and drop feature. In addition, they are also able to make the more than 90 enterprise applications in UCS’ integrated App Center available to users. The users access these applications via the portal pages and, insofar as the respective application permits, only need to log in once thanks to the single sign-on mechanism. Univention has also considerably improved the data import performance. In this way, UCS 4.3 allows smaller companies to administrate heterogeneous IT environments with ease and fulfills the requirements of larger organizations with tens of thousands of users at the same time.

I am a long-time Ubuntu user and community contributor. I love how open-source communities generally work, sure there are hiccups, like companies mandating decisions that aren't popular amongst the community. The idea of I being able to fix an issue and getting that released to hundreds of thousands of people is just priceless for me.

For the long time, I have distinguished some issues in Linux on the desktop that I want fixed. Biggest is always having the latest version of the software I use. Think of Android for example, you always get the latest version of the app, directly from the developers with no package maintainer in between. That's the ideal scenario but for us currently on Linux it may not be possible in all cases because of the fragmentation we have.

The official Arduino development team has today revealed at the Embedded Linux Conference 2018 expansion of a number of architectures supported by its Arduino Create platform for the development of Internet of Things applications. The latest release allows Arduino Create users can manage and program a wide range of popular Linux single-board computers such as the awesome Raspberry Pi which has today received a new addition to its range in the form of the Raspberry Pi 3+, AAEON UP² and BeagleBone as if they were regular Arduino development boards.

LWN has covered the open RISC-V ("risk five") processor architecture before, most recently in this article. As the ecosystem and tools around RISC-V have started coming together, a more detailed look is in order. In a series of two articles, I will look at what RISC-V is and follow up with an article on how we can now port Linux distributions to run on it.

The words "Free and Open RISC Instruction Set Architecture" are emblazoned across the web site of the RISC-V Foundation along with the logos of some possibly surprising companies: Google, hard disk manufacturer Western Digital, and notable ARM licensees Samsung and NVIDIA. An instruction set architecture (ISA) is a specification for the instructions or machine code that you feed to a processor and how you encode those instructions into a binary form, along with many other precise details about how a family of processors works. Modern ISAs are huge and complex specifications. Perhaps the most famous ISA is Intel's x86 — that specification runs to ten volumes.

More importantly, ISAs are covered by aggressive copyright, patent, and trademark rules. Want to independently implement an x86-compatible processor? Almost certainly you simply cannot do that without making arrangements with Intel — something the company rarely does. Want to create your own ARM processor? You will need to pay licensing fees to Arm Holdings up front and again for every core you ship.

In contrast, open ISAs, of which RISC-V is only one of the newest, have permissive licenses. RISC-V's specifications, covering user-space instructions and the privileged instructions are licensed under a Creative Commons license (CC BY 4.0). Furthermore, researchers have determined that all RISC-V instructions have prior art and are now patent-free. (Note this is different from saying that implementations will be open or patent-free — almost certainly the highest end chips will be closed and implementations patented). There are also several "cores" — code that compiles to Verilog and can be programmed into an FPGA or (with a great deal more effort) made into a custom chip — licensed under the three-clause BSD.

Here’s GNOME 3.28 – See What’s New

The latest version of GNOME 3 has been released today. Version 3.28 contains six months of work and new features by the GNOME community and comes with many improvements and new features.
One major new feature for this release is automatic downloading of operating systems in Boxes, which takes the work out of creating and running virtual machines – just pick the operating system that you want to create a virtual machine of, and Boxes will now download and install it for you.
Other highlights include improvements to the Calendar and Contacts applications, the ability to star files and folders in the Files application, and improved support for Thunderbolt 3 and Bluetooth LE devices. GNOME’s default UI font has also been overhauled to be more attractive and easy to read, and the on-screen keyboard has been rewritten to be more reliable and has layouts for a number of different locales.
Also: textures and paintables

LG releases webOS Open Source Edition, looks to expand webOS usage

LG’s smart TVs ship with an operating system called webOS, which is the latest version of an operating system that was developed by Palm to run on phones, acquired by HP to use with tablets, and eventually sold to LG, which is still using it today.
But now LG wants to expand the adoption of webOS and the company is working with the South Korean government to solicit business proposals from other companies interested in using webOS.
LG has also released a webOS Open Source Edition version of the operating system.